You can add extra zeroes. XSS bypass on a private bug bounty program
Hi incredible hackers. I got a private invite, and got curious about the program, so I signed up into the main website and started clicking around and using all functions.
I found this endpoint in which the value of “name” parameter was reflecting inside the “iframe” tag.
Fortunately the " character wasn’t being encoded, so I was able to get out of the src.
Problem
( and ` characters were not allowed and causing a 403 error.
test" onload=alert(origin) --> 403
test" onload=print`` --> 403
test" onload=alert origin) --> 200I played with it for a few minutes, but I couldn’t exploit it.
Cure
I texted my buddy 0xrz who is a true monster when it comes to hacking.
I sent him the endpoint and…
Payload:
" onload=alert(origin) value="He told me what is going on here, and I’m writing it down here.
- JS accepts decimal Unicode characters, so we can write
(instead of(. Check it: http://www.endmemo.com/unicode/ascii.php.
But this payload was giving us a 403 page again, and it wasn’t a bypass in this case.
- You can add extra zeroes after
&#and it will be treated as(which is(. Isn’t JS amazing?
Report & Bounty:
Make sure that you follow 0xrz:
Reach me at:
LinkedIn:
https://www.linkedin.com/in/ali-imani-2a896a266/
Twitter:
